Up until now TurnKey hasn't had an explicit privacy policy, and that seemed ok because no one ever asked about it. But now that the latest release integrates TurnKey appliances more closely with the TurnKey Hub (e.g., TKLBAM, geo-ip auto apt mirror) and the Hub gets access to sensitive data as part of its normal operation, I felt it was about time we gave this some more thought.

On the other hand, even though we didn't have an explicit privacy policy before I do feel our adoption of the Ubuntu Code of Conduct gave us an implicity privacy policy by making it clear we respect our users and expect them to respect us, and each other, in return.

To put it bluntly, we don't need no stinking privacy policy to avoid breaking your trust. But sometimes it doesn't hurt to spell things out and dispell any doubts. For the record. Here's what I came up with...

Short, to the point and in plain English: we don't like to read 20 page privacy policies full of opaque legalese, so we're not going to make you read one of those either.

We follow the golden rule: we promise to treat your private data with the same respect we would like our private data to be treated. In a nutshell, that means we're not going to give anyone access to your private data unless you ask us to. With one exception: if we're served a court warrant in the proper jurisdiction, we're not going to jail for you, but we will notify you, if we're legally allowed. Note that we've never received a court warrant and we'd like it to stay that way.

We hate spam: so we're not going to spam you or share your e-mail address with anyone. If you suspect otherwise you're invited to register with a unique e-mail address (e.g., used only with TurnKey) and complain loudly if anything fishy happens.

We collect the usual: we use cookies to authenticate user sessions, log web server requests and use Google Analytics to collect and examine aggregate usage statistics which help us understand how users interact with the web site.

We're listening: if you think there is some way we can help improve your privacy, let us know!

Most of the time these 20 page legalese documents are there to allow the organization the free will to do whatever they want with your data/information as long as they follow whatever laws they want to or what they've been caught breaking.

If an organization doesn't have a privacy policy, they're not making any promises on what they will or won't do with the data they collect. They can do whatever they want with the data by default.

In my mind the only legitimate use for a privacy policy is to pledge self-restraint. I'd be mighty suspicious of an organization that posts a "privacy" policy that leaves enough holes in it to drive a truck through. If you're not committed to privacy, better not to promise anything at all.